In a bit of an odd move, the Carnegie Mellon's Computer Emergency Readiness Team (CERT/CC) has posted a vulnerability report and a blog post taking AMD to task over their drivers and the impact on system security. As the major partner in the United States’ internet security agency US-CERT and de-facto coordinator for the international CERTs, CERT/CC is both a front-line organization for developing responses to cybersecurity threats and on a more typical day is responsible for organizing and publishing reports and notices about computer system vulnerabilities. So while it’s common for CERT/CC to publish information regarding specific vulnerabilities, it’s less common for them to get involved with general security weaknesses in this manner.

So what has drawn CERT/CC’s attention? It turns out that AMD’s drivers don’t properly behave with/support a vulnerability mitigation feature called Address Space Layout Randomization (ASLR). ASLR serves to make it harder for software vulnerabilities to be exploited by randomizing certain program structures in memory, so that the addresses of these structures cannot reliably be predicted and attacked. Although not undefeatable, ASLR can reduce a number of different types of attacks from a system-owning exploit into a program crash that keeps the system secure. In other words ASLR can’t fix the underlying vulnerabilities in programs, but it can help mitigate the problem so that a proper fix can be instituted.

Because of the chaotic nature of ASLR not every program (particularly legacy programs) can work with it, and for that reason since its introduction in Windows Vista in 2006 ASLR has been a per-program feature that is only enabled with applications that are flagged as being compatible. However because most applications can handle it just fine, systems requiring higher security can use the Enhanced Mitigation Experience Toolkit (EMET) to enable ASLR across the system, which forcibly activates ASLR for all programs.

It’s this last bit that has caught CERT/CC’s attention. As it stands AMD’s video drivers are not ASLR compatible. Turning on ASLR will cause AMD’s drivers to crash, making always-on ASLR unusable on systems using AMD’s drivers.

From a practical perspective this isn’t an issue that affects more than a handful of users. Unlike DEP it’s not something that can be turned on from within Windows, so even technical users like ourselves almost never have ASLR in always-on mode. However for governments and other high value institutions this means they’re forced to choose between AMD hardware and ASLR, which is not something they want to be worrying about. Furthermore it’s been the long-standing goal of computer security organizations to get OSes and programs to a state where ASLR can be enabled globally for every user, a very messy transition that is held back by programs and drivers that are still not ASLR compatible.

Drivers in turn are of particular concern here because of how they interact with the Windows kernel, with video drivers in particular having high access levels for performance purposes, a position that will only become more entrenched as GPUs continue to become more CPU-like and more important to even fundamental computing. All of this is compounded by the fact that AMD in has already been in the spotlight for security vulnerabilities as their drivers were found to have a security exploit in 2007.

Ultimately CERT/CC is looking to apply pressure to AMD to get them to finally make their drivers ASLR compatible, even going so far as to specifically testing and naming Intel and NVIDIA as having ASLR compatible drivers in the vulnerability note. Because of their relationship with US-CERT this is akin to having an arm of the US Government breathing down your neck, which does tend to get results, doubleplus so since the US Government is also a massive IT buyer. In the meantime typical computer users have nothing to be concerned about – and this is the important part for most of us – but it’s unfortunate that AMD has let themselves end up in this situation in the first place.

Update: CERT/CC contacted us this afternoon to clarify who originated the vulnerability report in question. It is technically CERT/CC who published it (in spite of it appearing on US-CERT), so we've corrected the article accordingly.

Update 2: AMD has issued a formal statement in response to CERT/CC's report. In it they assert that the specific condition CERT/CC specifies (modifying a registry key) was not reported in advance, and go on to reiterate that regular users (even those using EMET) are not impacted by this. Furthermore AMD states that they are working on a driver that corrects the issue CERT/CC has discovered. We have republished the full response below

CERT recently approached AMD with information pertaining to what they believed to be a possible video driver vulnerability exposed by non-default settings of the Microsoft Enhanced Mitigation Experience Toolkit (EMET). EMET is a security test tool that allows system administrators to create test conditions to validate correct behavior of system components or indicate potential weak points. The presence of an issue does not necessarily mean that this issue can be exploited in regular operation of a system. The default safety settings of the EMET do not cause the issue in question to occur.

The non-default settings used to produce the system crash at start-up as reported by CERT require changing a System Registry key for the tool (named "EnableUnsafeSettings"), which was not documented until the CERT report was published, and is not accessible through the EMET tool itself.

Given that the conditions created by CERT are a departure from the default safety settings of the Microsoft EMET, users of AMD graphics products will face the problem outlined by the CERT report if their EMET settings are modified, and will otherwise not experience the issue in question. Shortly, AMD will release a driver designed to ensure that a crash does not take place under the conditions outlined by CERT.

<quote>That's a given that nVidia drivers are better, we all know this, and have for years.</quote>

I've gone through a rather large number of both nVidia and ATi/AMD cards over the years and I can say with great certainty that inferior drivers are the hallmark of Intel graphics. I've run into driver issues with both nVidia and ATi with little to distinguish one as superior to the other. SLI does tend to be less problematic than Crossfire for games recently released. However, ATi seems to have (slightly) fewer issues in HTPC applications (not that either company has been critically misbehaved in a good while). Hence, your blanket statement ("We all know this") can be proven false by counterexample.

<quote>It looks like that is the case this time as well. It doesn't matter, and no one should care.</quote>

If you use Microsoft EMET, modify it from default settings, and happened to modify a registry key that was, at the time, undocumented, then you should care ... until ATi releases a fix. It is not as if ATi's drivers can't be used with ASLR. Even if it were, it is not as if that is a security vulnerability. ASLR is a way to make existing vulnerabilities (both know and undisclosed) harder (not impossible) to exploit. If a breach has occurred, then it happened in an other program due a bug that may or may not have been exploitable with system wide ASLR.

<quote>PhysX doesn't matter either.</quote>

It give me more eye candy, but I have yet to play a game where it changes gameplay. A welcome addition, yes, but I would like it better if they opened it up to competitors (licensed?) and it became more prevalent and integral. Until then, it does little to sway my purchasing decision.

<quote>... neither does adaptive v-sync</quote>

I love this one. The benefits are obvious and it can be applied retroactively without the need for developers to lift a finger.

<quote>... nor does target framerate</quote>

Theoretically provides benefits to people with power usage restriction and/or inadequate cooling. Since a few fps won't make a notable difference in power usage and I use cooling solutions capable of keeping my cards well below any thermal design thresholds, it doesn't really concern me. Perhaps it is good for systems where the fan has to get obnoxiously loud to keep it cool under full load. Though, I would consider that a flaw of the cooling system as even my laptop (ASUS G73SW) doesn't have to work that hard to keep cool. Desktops have far more space to work with.

<quote>... nor does dirver updates back to series 6 while HD4000 is dropped</quote>

It should be mentioned, though, that the HD4000 series isn't dropped. It has simply been moved to a less frequent update schedule. I don't like that the HD4000 series has taken a back seat, but I have don't really know where it make since to transition. I like that nVidia supports back to the 6 series, but truth be told, it has been a long time since my 6800 Ultra (or my 8800GT for that matter) saw any benefit from a driver update. I always liked nVidia's as needed release schedule better than ATi's once a month schedule. Perhaps this will allow them to address crossfire issues for new releases more quickly. Still, I think they should fully support at least three major generations back.Reply

Yeah whatever, we all know nVidia drivers are superior period and have been for a very long time. If you actually work on hundreds of systems you find this out and NO counterexample can prove it wrong.Reply

And soon will be brought to you by the Dear Leader of China as they finally won through cracking every last bit of US Government and DOD information, exploited thanks to AMD's lame driver "team fail".Reply